{=
#
# This handles a "dp&action&a=<action>" URL (network action).
#

include "lib.action";
include 'lib.rbac';
include 'templates.util.base_util';

#echo("action.cfv");

string username = command_line.login_username;
string password = command_line.login_password;
#echo("username=" . username);
#echo("password=" . password);

# If internal.authorization_basic_username is specified (the results of HTTP Basic authentication), use that instead of command_line
if ((username eq "") and (node_exists("internal.authorization_basic_username"))) then (
  username = internal.authorization_basic_username;
  password = internal.authorization_basic_password;
#  echo("Got Basic Auth: username=" . username . "; password=" . password);
);

# If no username is specified, and there is no HTTP Basic authentication provided, set internal.extra_http_headers
# to tell the server to respond with a 401 challenge.
if ((username eq "") and (!node_exists("internal.authorization_basic_username"))) then (
  internal.extra_http_headers = "Return-Code: 401 Unauthorized\r\n";
  internal.extra_http_headers .= `WWW-Authenticate: Basic realm="Reports"\r\n`;
);

if (username eq "") then (
  action_fail("Username (lun) is zero length.  You must specify a username"); #LM
);
else if (password eq "") then (
  action_fail("Password (lpw) is zero length.  You must specify a password"); #LM
);

else (
bool authentication_succeeded = authenticate(username, password, true);
#echo("authentication_succeeded: " . authentication_succeeded);
#echo("authenticated_user: " . volatile.authenticated_user);
#echo("authenticated_user_node_path: " . volatile.authenticated_user_node_path);


# Only allow network accesses by root admin
#node user;
#foreach user 'users' (
#  if ((@user{"username"} eq username) and (node_name(user) ne "root_admin")) then
#    authentication_succeeded = false;
#);

# Determine the tier
string licensing_tier = get_licensing_tier();

#echo("licensing.licenses: " . node_as_string('volatile.licensing'));
#echo("licensing_tier: " . licensing_tier);

# Check if this user has permission to run this action for this profile.
string action_name = command_line.action;
string action_profile_name = "(none)";
if ('internal'?{'profile_name'}) then
  action_profile_name = @'internal'{'profile_name'};
bool authentication_succeeded = get_user_has_network_api_access_permission(licensing_tier, username, action_name, action_profile_name);
#echo("authentication_succeeded: " . authentication_succeeded);

if (authentication_succeeded) then (

  if (action_name eq "") then (
    action_fail("No action specified.  You must include an action in the URL with -a=action.");
  );

  else (
#    echo("Action=" . action_name);
 
    # Find which action matches 
    node action = 'internal';
    node actioni;
    foreach actioni 'actions' (
  
#      echo("actioni: " . actioni);
      if (node_name(actioni) eq action_name) then (
        action = actioni;
      );
      else if (@actioni{"shortcut"} eq action_name) then (
        action = actioni;
      );
    );
   
    if (action eq "internal") then (
      action_fail("Unknown action " . action_name);
      return;
    );
   
    # If it's a known action, execute it
    else (

#echo("action: " . node_as_string(action));
#echo("@action{requires_profile}: " . @action{"requires_profile"});
      if (action?{"requires_profile"} and @action{"requires_profile"} and (command_line.profile eq "")) then (
	action_fail("ERROR: The '" . action_name . "' action requires a profile name (-p profilename)");
        return;
      );

#      echo("parameters: " . node_as_string(action{"parameters"}));
      node parameter;
      foreach parameter (action{"parameters"}) (
        if (parameter?{"required"} and (@parameter{"required"})) then (
#          echo("parameter: " . parameter);
          node compiled_parameter_value = compile(node_name(parameter));
          string parameter_value = evaluate(compiled_parameter_value);
#          echo("parameter_value=" . parameter_value);
          if (parameter_value eq "(unspecified)") then (
            action_fail("The '" . node_name(parameter) . "' parameter (" . @parameter{"shortcut"} . ") must be specified for the '" . action_name . "' action");
            return;
          );
        );
      );

#      echo("action: " . action);

      string expression = @action{"expression"};
#      echo("expression: " . expression);
      node compiled_expression = compile(expression);
#      node r = evaluate(compiled_expression);
      string evalresult = evaluate(compiled_expression);
#      string result = evaluate(compiled_expression);
#      echo("DONE");
#      echo("evalresult: " . evalresult);
#      echo("result: " . result);

#    echo("ACTION RESULT:");
#      echo(result);
      evalresult;

    ); # if known action

  ); # if action specified

); # If authentication succeeded

else (

  # If we're using Basic auth, re-challenge
  if (?"internal.authorization_basic_username") then (
    internal.extra_http_headers = "Return-Code: 401 Unauthorized\r\n";
    internal.extra_http_headers .= `WWW-Authenticate: Basic realm="Reports"\r\n`;
  );
  action_fail("Authentication failed.  User '" . username . "' does not have access to run action '" . action_name . "' on profile '" . action_profile_name . "'.  You must include a valid username and password, for a user with the necessary RBAC privileges (or root administrator), in the URL with &lun=username&lpw=password");
);

); # username and password specified

=}